PowerPay - PowerPoint PPT Presentation

1 / 36
About This Presentation
Title:

PowerPay

Description:

... recognized a need to protect Card Data to prevent theft ... Later the other card associations followed Visa's lead with ... Discover. Visa. JCB (Japan ... – PowerPoint PPT presentation

Number of Views:123
Avg rating:3.0/5.0
Slides: 37
Provided by: drewm
Category:

less

Transcript and Presenter's Notes

Title: PowerPay


1
PCI What It Is And What It Means To The You

2
Contents
  • PCI History
  • What is PCI
  • What is not PCI
  • Who must protect Card Data
  • Merchant PCI Compliance
  • Definitions
  • Useful Web Sites
  • Questions

3
PCI History
4
PCI History
  • Late 90s - Visa recognized a need to protect
    Card Data to prevent theft
  • June, 2001 Visa mandated rules to protect Card
    Data
  • Later the other card associations followed Visas
    lead with their own programs

5
PCI History
  • The Four Programs Were Called
  • Visa CISP Cardholder Information Security
    Program
  • MasterCard SDP Site Data Protection
  • American Express DSOP - Data Security Operating
    Policy
  • Discover DISC - Discover Information Security
    Compliance

6
PCI History
  • Once there were four programs
  • Confusion ensued
  • There were now four sets of rules, guidelines,
    penalties and fines

7
The Solution

8
PCI History
  • The creation of a standards organization in 2006
    named Payment Card Industry Security Standards
    Council
  • Also Known As PCI
  • The founding members were the five major card
    brands
  • American Express
  • MasterCard
  • Discover
  • Visa
  • JCB (Japan Credit Bureau)
  • Primarily seen in Hawaii, California and other
    major T E Markets in the USA

9
PCI History
  • Not The Perfect Solution
  • The Good News
  • The security guidelines have been consolidated
    under a single entity PCI DSS Data Security
    Standard
  • Your Compliance and IT staff will appreciate this
  • The Bad News
  • Due to federal restraint of trade laws, the card
    brands can not collude on the rules, penalties
    and fines
  • So we must still please multiple masters
  • For the most part, Visas rules are the most
    restrictive and therefore are used as the
    bellweather guideline

10
What Is PCI
11
What Is PCI
(This is the most important slide)
  • PCI is the industry group responsible for
    defining the security standards for protecting
    Card Data
  • What is the protected Card Data?
  • SIX DATA ITEMS (FIVE ARE ON THE CARD)
  • The Full Contents of the Magnetic Stripe
  • The Credit Card Account Number
  • Also known as the PAN or Primary Account Number
  • Cardholder Name
  • The Card Security Code (aka CVV2, CVC2 or CID)
  • PIN / PIN Block
  • The Expiration Date

12
What Is PCI
  • Twelve Requirements
  • Install and maintain a firewall configuration
  • Do not use default passwords
  • Protect cardholder data
  • Encrypt transmission of cardholder data
  • Use and regularly update anti-virus software
  • Develop and maintain secure systems
    applications
  • Restrict access to cardholder data

13
What Is PCI
  • Twelve Requirements (continued)
  • Assign a unique ID to each person with computer
    access
  • Restrict physical access to cardholder data
  • Track and monitor all access to network resources
    and cardholder data
  • Regularly test security systems and processes
  • Maintain a policy that addresses information
    security for employees and contractors

14
What Is PCI
  • PCI Is Not
  • The FTCs Identity Theft Programs
  • Personally Identifiable Information (PII)
  • Protection of Social Security Numbers
  • FACTA
  • HIPAA
  • Sorbanes Oxley (SOX)
  • Gramm Leach Bliley Act
  • FFIEC
  • The Patriot Act (OFAC or AML)

15
What Is PCI
  • PCI Is Not (continued)
  • A Legal Issue (With the exception of Minnesota)
  • Rather it is a contractual agreement between the
    merchant and the card brands to protect certain
    pieces of Card Data
  • If you break that agreement, it will cost you a
    minimum of 10,000 for a security assessment plus
    you can be charged fees for damages, fines for
    breaking the agreement and in egregious
    situations have your merchant contract
    permanently canceled (TMF)

16
What Is PCI
  • Who must protect Card Data?
  • Anyone that handles it - Primarily
  • Merchants
  • Processors
  • Paymentech, Global, TSYS, FDR, etc.
  • Banks
  • Issuers Acquirers (HSBC)
  • Third Party Providers
  • Gateways (Authorize.net, Plug NPay, etc.)
  • Gift Cards, Loyalty Cards, etc.
  • ISOs
  • PowerPay
  • With the exception of the Merchant, every other
    entity that PowerPay uses is PCI Compliant

17
Merchant PCI Compliance
18
Merchant PCI Compliance
  • What do you, the merchant, have to do to become
    PCI compliant?
  • It depends on two different parameters
  • Your Merchant Level (As defined by Visa)
  • How you process the Card Data
  • Credit Card Terminal
  • Stand Alone Dial-Up PC or ECR
  • Internet Connected PC or ECR
  • Computers via the Internet (eCommerce)

19
Merchant PCI Compliance
  • Merchant Levels Defined (By Visa)
  • Any merchant processing over 6,000,000 annual
    Visa transactions, Or Any merchant that has
    suffered a breach that resulted in data
    compromise, Or Any merchant Visa, in its sole
    discretion, determines must meet Level 1
    Requirements, Or Any merchant identified by any
    other payment card brand as Level 1
  • Any merchant processing 1,000,000 up to 6,000,000
    annual Visa transactions
  • Any merchant processing 20,000 up to 1,000,000
    annual Visa eCommerce transactions
  • Any merchant processing less than 20,000 Visa
    eCommerce transactions annually or up to
    1,000,000 annual Visa transactions

20
Merchant PCI Compliance
  • Merchant Level Requirements
  • All levels must Comply With The PCI DSS and
    Perform Quarterly Network Scans
  • Level 1 Must also Perform An Annual On-Site PCI
    Security Audit
  • Levels 2, 3 4 Must Complete The Appropriate PCI
    Self Assessment Questionnaire (SAQ)

21
Merchant PCI Compliance
  • SAQs Defined
  • A Q 11 - Card-not-present (e-commerce or
    mail/telephone-order) merchants, all cardholder
    data functions outsourced. This would never apply
    to face-to-face merchants.
  • B Q 31 - Imprint-only merchants with no
    electronic cardholder data storage or Stand-alone
    dial terminal merchants, no electronic cardholder
    data storage
  • C Q 41 - Merchants with POS systems
    connected to the Internet, no electronic
    cardholder data storage
  • D Q 226 - All other merchants (not included
    in Types 1-4 above) and all service providers
    defined by a payment brand as eligible to
    complete an SAQ

22
Merchant PCI Compliance
  • Device Dependencies
  • Credit Card Terminal
  • As long as the software is supplied by PowerPay
    and you are a Level 4 merchant you are PCI
    Compliant
  • Our terminal applications are PCI DSS Compliant
  • You do not need to perform the network scan
  • For now, you do not have to complete the SAQ
  • Level 1, 2 and 3 merchants are very unlikely to
    be using a Credit Card Terminal due to the
    quantity of daily transactions necessary to reach
    these levels

23
Merchant PCI Compliance
  • Device Dependencies (continued)
  • Stand Alone PC or ECR
  • You must ensure your software and networks are
    PCI DSS compliant
  • Best recommendation is to use PABP or PA-DSS
    software (Easy Pay)
  • For Level
  • 1 merchants you must perform an annual On-Site
    PCI Security Audit
  • 2 or 3 merchants you must complete the SAQ
  • 4 merchants you may optionally complete the SAQ
  • If applicable, perform Quarterly Network Scans

24
Merchant PCI Compliance
  • Device Dependencies (continued)
  • Networked PC or ECR
  • You must ensure your software and networks are
    PCI DSS compliant
  • Best recommendation is to use PABP or PA-DSS
    software (Easy Pay)
  • For Level
  • 1 merchants you must perform an annual On-Site
    PCI Security Audit
  • 2 or 3 merchants you must complete the SAQ
  • 4 merchants you may optionally complete the SAQ
  • Perform Quarterly Network Scans

25
Merchant PCI Compliance
  • Device Dependencies (continued)
  • Computers via the Internet (eCommerce)
  • You must ensure your software and networks are
    PCI DSS compliant
  • Best recommendation is to use PABP or PA-DSS
    software, Gateway and shopping cart
  • For Level
  • 1 merchants you must perform an annual On-Site
    PCI Security Audit
  • 2 or 3 merchants you must complete the SAQ
  • 4 merchants you may optionally complete the SAQ
  • Perform Quarterly Network Scans

26
Merchant PCI Compliance
  • Two More PCI Compliance Areas
  • Certified Payment Applications
  • This is a Visa standard known as PABP Payment
    Application Best Practice
  • In early 2008 PCI will take over this standard
    and rename it PA-DSS - Payment Application Data
    Security Standard
  • PowerPays Easy Pay Software
  • It is currently PABP certified
  • It will become PA-DSS certified once it is
    available
  • Certified PIN Pads
  • PCI also has standards for PIN Entry Devices -
    PEDs
  • All PIN Pads purchased from PowerPay will

27
Merchant PCI Compliance
  • Important Dates
  • January 1, 2008
  • Newly boarded merchants must not use known
    vulnerable payment applications (Primarily PC and
    ECR based merchants)
  • October 1, 2008
  • Newly boarded Level 3 and 4 merchants must be PCI
    DSS compliant or use PABP and/or PA-DSS compliant
    applications
  • July 1, 2010
  • All merchants must be using only PABP and/or
    PA-DSS compliant applications

28
Definitions
29
Definitions
  • PCI SSC Payment Card Industry Security Standards
    Council
  • PCI DSS Payment Card Industry Data Security
    Standard
  • PABP Payment Application Best Practices
  • PA-DSS Payment Application Data Security
    Standard Due out early 2008
  • CAP Certified Application Provider
  • ASV Approved Scanning Vendor
  • SAQ Self Assessment Questionnaire
  • QSA Qualified Security Assessor
  • PED PIN Entry Device (PIN Pad)
  • ROC Report of Compliance
  • TMF Terminated Merchant File

30
Useful Web Sites
31
Useful Web Sites
  • Electronic Transaction Association
  • Listing of Current State Laws
  • (Download PDF at bottom of page)
  • http//www.electran.org/content/view/523/42

32
Useful Web Sites
  • Visa
  • Main CISP Page
  • http//usa.visa.com/merchants/risk_management/cisp
    .html
  • Merchant Information
  • http//usa.visa.com/merchants/risk_management/cisp
    _overview.html

33
Useful Web Sites
  • MasterCard
  • Main Security Page
  • http//www.mastercard.com/us/merchant/security/ind
    ex.html

34
Useful Web Sites
  • PCI Security Standards Council
  • Main
  • http//www.pcisecuritystandards.org
  • FAQs
  • https//www.pcisecuritystandards.org/about/faqs.ht
    mq1
  • Site Map
  • https//www.pcisecuritystandards.org/map/index.htm
  • Approved Scanning Vendors
  • https//www.pcisecuritystandards.org/pdfs/asv_repo
    rt.html

35
Useful Web Sites
  • BBB
  • http//www.bbb.org/securityandprivacy
  • There are many good resources on this site
  • I recommend downloading a copy of Security
    Privacy - Made Simpler - A document targeting
    Small Business Owners with digestible
    information about securing their customer and
    employee data. Seven (7) major corporations
    partnered with the BBB on this initiative.
  • To Download, look for the following on the Web
    page
  • Click here to download your complimentary copy of
    Security Privacy - Made Simpler

36
Questions ? ? ?
Write a Comment
User Comments (0)
About PowerShow.com